Cell phones normally connect to the strongest signal from the nearest cell tower to maximize the signal quality and to minimize their own power usage. Additionally, the cell phones authenticate with the cell towers. International Mobile Subscriber Identity (IMSI) catchers are used in mobile networks to identify and eavesdrop on mobile devices, namely, the cell phones. These catchers lightly emulate fake cell towers, forcing these mobile devices to connect with them, even when they are not engaged in a telephone call. In a 2G Global System for Mobile Communications (GSM) network, the cell towers do not authenticate with the cell phones, making it relatively easy to attack. Modern 3G and 4G networks are relatively safe because they practice two-way authentication. However, 2G/GSM is still used by service providers as the fallback network when both 3G and 4G are not available. It is estimated that it will be years (2017 or later) before service providers will abandon the 2G/GSM towers. This does not preclude 4G interception as a threat; modern devices such as the VME Dominator do currently have this ability, and more sophisticated devices will undoubtedly be available in the future. Safeguarding (physically deploying towers to protect other towers) an area only works on a small scale. The location-dependent known-good tower list, could be outdated, or poisoned by malicious actors. Once a cell phone is intercepted, a variety of “over-the-air” attacks become possible, including, but not limited to, telephone call eavesdropping, text message eavesdropping, and spyware loading. Once a cell phone is captured, this needs to be detected and characterized.
Service providers do not allow for IMSI catchers to operate on their networks, lawful interceptors notwithstanding. However, service providers are not currently able to identify rogue IMSI catchers and prevent them from operating on their networks. Conventional detection techniques are directed towards the perspective of users of the network, not network operators. The users of a network don't know with 100% confidence if their phone is connecting to a tower operated by their provider or a “stingray” device. The conventional detection techniques rely on either setting up towers to “safeguard” a specific geographic area, or compared with a historical list of known-good towers for the current geographical position of the phone. As mentioned previously, safeguarding (physically deploying towers to protect other towers) an area only works on a small scale. The location-dependent known-good tower list, could be outdated, or poisoned by malicious actors.